WP-Safety

Web Push Notifications – Webpushr Security & Risk Analysis

wordpress.org/plugins/webpushr-web-push-notifications

Fastest growing & lightweight plugin for Web Push Notifications. Add browser push notifications to your WordPress & WooCommerce site.

10K active installs v4.39.0 PHP 5.6+ WP 3.8+ Updated Feb 5, 2026
free-web-push-notificationspush-notificationsweb-pushweb-push-notificationswebpushr
92
A · Safe
CVEs total4
Unpatched0
Last CVEJan 25, 2026
Download
Safety Verdict

Is Web Push Notifications – Webpushr Safe to Use in 2026?

Generally Safe

Score 92/100

Web Push Notifications – Webpushr has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Jan 25, 2026Updated 1mo ago
Risk Assessment

The webpushr-web-push-notifications plugin version 4.39.0 exhibits a mixed security posture. While it demonstrates some good practices like the use of prepared statements for a majority of its SQL queries and a decent number of nonce and capability checks, significant concerns arise from its entry points and historical vulnerability patterns. The presence of an unprotected AJAX handler presents a direct attack vector, and the taint analysis revealed a flow with an unsanitized path, suggesting potential for vulnerabilities if not handled carefully. The plugin's history of four known CVEs, including high and medium severity issues like Cross-Site Scripting, Missing Authorization, and Exposure of Sensitive Information, indicates a recurring struggle with robust security implementation. The commonality of these vulnerability types suggests systemic issues in input validation, authorization, and output sanitization that need persistent attention. While the current version has no unpatched vulnerabilities, the past pattern and the static analysis findings necessitate vigilance. Overall, the plugin has strengths in areas like SQL handling, but the unprotected entry points and historical issues warrant a cautious approach to its deployment.

Key Concerns

  • Unprotected AJAX handler
  • Flow with unsanitized paths
  • High severity past vulnerabilities (2 high)
  • Medium severity past vulnerabilities (2 medium)
  • Output escaping is not consistently proper (54%)
Vulnerabilities
4

Web Push Notifications – Webpushr Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
1 CVE in 2024
2024
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
2
Medium
2

4 total CVEs

CVE-2026-24536medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Webpushr <= 4.38.0 - Unauthenticated Information Exposure

Jan 25, 2026 Patched in 4.39.0 (13d)
CVE-2024-34369medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Webpushr <= 4.35.0 - Reflected Cross-Site Scripting

May 3, 2024 Patched in 4.36.0 (5d)
CVE-2023-5620high · 7.2Missing Authorization

Webpushr <= 4.34.0 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting

Nov 6, 2023 Patched in 4.35.0 (78d)
CVE-2023-35041high · 8.8Cross-Site Request Forgery (CSRF)

Webpushr <= 4.34.0 - Cross-Site Request Forgery to Local File Inclusion via menu

Oct 19, 2023 Patched in 4.35.0 (96d)
Code Analysis
Analyzed Mar 16, 2026

Web Push Notifications – Webpushr Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
4 prepared
Unescaped Output
74
88 escaped
Nonce Checks
3
Capability Checks
3
File Operations
0
External Requests
2
Bundled Libraries
2

Bundled Libraries

DataTablesjQuery

SQL Query Safety

80% prepared5 total queries

Output Escaping

54% escaped162 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths
wpp_save_settings (include\save_settings.php:4)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Web Push Notifications – Webpushr Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_webpushr_test_notificationpush.php:66
WordPress Hooks 35
actionadmin_noticesinclude\save_settings.php:14
actionadmin_noticesinclude\save_settings.php:84
actionadmin_noticesinclude\save_settings.php:99
actionadmin_noticesinclude\save_settings.php:124
actionadmin_noticesinclude\save_settings.php:138
actionadmin_noticesinclude\save_settings.php:194
actionwoocommerce_product_options_general_product_datainclude\webpushr_functions.php:457
actionadmin_initpush.php:25
actionplugins_loadedpush.php:28
actionadmin_menupush.php:31
actionadmin_enqueue_scriptspush.php:35
actionenqueue_block_editor_assetspush.php:37
actiontransition_post_statuspush.php:40
actionwp_footerpush.php:44
actionadmin_footerpush.php:45
actionadmin_initpush.php:50
actionadd_meta_boxespush.php:62
actionsave_postpush.php:63
actionedit_form_after_titlepush.php:69
actionadmin_initpush.php:72
actionplugins_loadedpush.php:76
actionwp_front_service_workerpush.php:81
actionwp_admin_service_workerpush.php:82
actionwoocommerce_add_to_cartpush.php:87
actionwoocommerce_cart_item_removedpush.php:88
actionwoocommerce_cart_item_restoredpush.php:89
actionwoocommerce_after_calculate_totalspush.php:90
actionwoocommerce_thankyoupush.php:91
filtercron_schedulespush.php:94
actionwppush.php:97
actionwebpushr_abandoned_cartpush.php:98
filtersuperpwa_sw_filenamepush.php:119
filtersuperpwa_sw_templatepush.php:121
actioninitpush.php:146
actionparse_requestpush.php:147

Scheduled Events 1

webpushr_abandoned_cart
Maintenance & Trust

Web Push Notifications – Webpushr Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 5, 2026
PHP min version5.6
Downloads285K

Community Trust

Rating94/100
Number of ratings60
Active installs10K
Alternatives

Web Push Notifications – Webpushr Alternatives

Push Magnet

Push Magnet

push-magnet-web-push-notifications

A
92

World's best tool for Web Push Notifications. Instantly add it to any website and engage with your visitors.

10 No CVEs
PushEngage – Web Push notification, WA Automation & Multi-Channel Chat Widget ( WA, Messenger, X, Telegram, TikTok & More)

PushEngage – Web Push notification, WA Automation & Multi-Channel Chat Widget ( WA, Messenger, X, Telegram, TikTok & More)

pushengage

A
100

Send order updates, recover abandoned carts, and boost retention with push notifications, WhatsApp automation + multichannel Chat widget.

10K No CVEs
Perfecty Push Notifications

Perfecty Push Notifications

perfecty-push-notifications

A
100

Push Notifications that are self-hosted, you don't need API keys to integrate with external Push Notifications providers that will charge you lat &hellip;

5K No CVEs
Gravitec.net – Web Push Notifications

Gravitec.net – Web Push Notifications

gravitec-net-web-push-notifications

A
99

Easy-to-use and smart push notifications for your website. Increase subscriptions and repeat visits with minimal effort.

1K 1 CVE
iZooto – Web Push Notifications

iZooto – Web Push Notifications

izooto-web-push

A
100

Engage your audience and drive repeat traffic by delivering relevant and personalized push notifications - across web browsers, Android, iOS and Messe &hellip;

1K No CVEs
Developer Profile

Web Push Notifications – Webpushr Developer Profile

webpushr

1 plugin · 10K total installs

82
trust score
Avg Security Score
92/100
Avg Patch Time
48 days
View full developer profile
Detection Fingerprints

How We Detect Web Push Notifications – Webpushr

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/webpushr-web-push-notifications/css/webpushr_admin.min.css/wp-content/plugins/webpushr-web-push-notifications/js/webpushr_admin.min.js
Script Paths
https://cdn.webpushr.com/app.min.jshttps://cdn.webpushr.com/sw-server.min.js
Version Parameters
webpushr-web-push-notifications/css/webpushr_admin.min.css?ver=4.11.0webpushr-web-push-notifications/js/webpushr_admin.min.js?ver=1.4

HTML / DOM Fingerprints

JS Globals
webpushr
FAQ

Frequently Asked Questions about Web Push Notifications – Webpushr